| [email protected] | df8e899b | 2011-02-22 22:58:22 | [diff] [blame^] | 1 | // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| 6 | #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| 7 | |
| 8 | #pragma once |
| 9 | |
| 10 | #include <map> |
| 11 | #include <set> |
| 12 | #include <string> |
| 13 | |
| 14 | #include "base/basictypes.h" |
| 15 | #include "base/gtest_prod_util.h" |
| 16 | #include "base/singleton.h" |
| 17 | #include "base/synchronization/lock.h" |
| 18 | |
| 19 | class FilePath; |
| 20 | class GURL; |
| 21 | |
| 22 | // The ChildProcessSecurityPolicy class is used to grant and revoke security |
| 23 | // capabilities for child porcesses. For example, it restricts whether a child |
| 24 | // process is permmitted to loaded file:// URLs based on whether the process |
| 25 | // has ever been commanded to load file:// URLs by the browser. |
| 26 | // |
| 27 | // ChildProcessSecurityPolicy is a singleton that may be used on any thread. |
| 28 | // |
| 29 | class ChildProcessSecurityPolicy { |
| 30 | public: |
| 31 | // Object can only be created through GetInstance() so the constructor is |
| 32 | // private. |
| 33 | ~ChildProcessSecurityPolicy(); |
| 34 | |
| 35 | // There is one global ChildProcessSecurityPolicy object for the entire |
| 36 | // browser process. The object returned by this method may be accessed on |
| 37 | // any thread. |
| 38 | static ChildProcessSecurityPolicy* GetInstance(); |
| 39 | |
| 40 | // Web-safe schemes can be requested by any child process. Once a web-safe |
| 41 | // scheme has been registered, any child process can request URLs with |
| 42 | // that scheme. There is no mechanism for revoking web-safe schemes. |
| 43 | void RegisterWebSafeScheme(const std::string& scheme); |
| 44 | |
| 45 | // Returns true iff |scheme| has been registered as a web-safe scheme. |
| 46 | bool IsWebSafeScheme(const std::string& scheme); |
| 47 | |
| 48 | // Pseudo schemes are treated differently than other schemes because they |
| 49 | // cannot be requested like normal URLs. There is no mechanism for revoking |
| 50 | // pseudo schemes. |
| 51 | void RegisterPseudoScheme(const std::string& scheme); |
| 52 | |
| 53 | // Returns true iff |scheme| has been registered as pseudo scheme. |
| 54 | bool IsPseudoScheme(const std::string& scheme); |
| 55 | |
| 56 | // Upon creation, child processes should register themselves by calling this |
| 57 | // this method exactly once. |
| 58 | void Add(int child_id); |
| 59 | |
| 60 | // Upon destruction, child processess should unregister themselves by caling |
| 61 | // this method exactly once. |
| 62 | void Remove(int child_id); |
| 63 | |
| 64 | // Whenever the browser processes commands the child process to request a URL, |
| 65 | // it should call this method to grant the child process the capability to |
| 66 | // request the URL. |
| 67 | void GrantRequestURL(int child_id, const GURL& url); |
| 68 | |
| 69 | // Whenever the user picks a file from a <input type="file"> element, the |
| 70 | // browser should call this function to grant the child process the capability |
| 71 | // to upload the file to the web. |
| 72 | void GrantReadFile(int child_id, const FilePath& file); |
| 73 | |
| 74 | // Grants certain permissions to a file. |permissions| must be a bit-set of |
| 75 | // base::PlatformFileFlags. |
| 76 | void GrantPermissionsForFile(int child_id, |
| 77 | const FilePath& file, |
| 78 | int permissions); |
| 79 | |
| 80 | // Revokes all permissions granted to the given file. |
| 81 | void RevokeAllPermissionsForFile(int child_id, const FilePath& file); |
| 82 | |
| 83 | // Grants the child process the capability to access URLs of the provided |
| 84 | // scheme. |
| 85 | void GrantScheme(int child_id, const std::string& scheme); |
| 86 | |
| 87 | // Grant the child process the ability to use Web UI Bindings. |
| 88 | void GrantWebUIBindings(int child_id); |
| 89 | |
| 90 | // Grant the child process the ability to use extension Bindings. |
| 91 | void GrantExtensionBindings(int child_id); |
| 92 | |
| 93 | // Grant the child process the ability to read raw cookies. |
| 94 | void GrantReadRawCookies(int child_id); |
| 95 | |
| 96 | // Revoke read raw cookies permission. |
| 97 | void RevokeReadRawCookies(int child_id); |
| 98 | |
| 99 | // Before servicing a child process's request for a URL, the browser should |
| 100 | // call this method to determine whether the process has the capability to |
| 101 | // request the URL. |
| 102 | bool CanRequestURL(int child_id, const GURL& url); |
| 103 | |
| 104 | // Before servicing a child process's request to upload a file to the web, the |
| 105 | // browser should call this method to determine whether the process has the |
| 106 | // capability to upload the requested file. |
| 107 | bool CanReadFile(int child_id, const FilePath& file); |
| 108 | |
| 109 | // Determines if certain permissions were granted for a file. |permissions| |
| 110 | // must be a bit-set of base::PlatformFileFlags. |
| 111 | bool HasPermissionsForFile(int child_id, |
| 112 | const FilePath& file, |
| 113 | int permissions); |
| 114 | |
| 115 | // Returns true if the specified child_id has been granted WebUIBindings. |
| 116 | // The browser should check this property before assuming the child process is |
| 117 | // allowed to use WebUIBindings. |
| 118 | bool HasWebUIBindings(int child_id); |
| 119 | |
| 120 | // Returns true if the specified child_id has been granted WebUIBindings. |
| 121 | // The browser should check this property before assuming the child process is |
| 122 | // allowed to use extension bindings. |
| 123 | bool HasExtensionBindings(int child_id); |
| 124 | |
| 125 | // Returns true if the specified child_id has been granted ReadRawCookies. |
| 126 | bool CanReadRawCookies(int child_id); |
| 127 | |
| 128 | private: |
| 129 | friend class ChildProcessSecurityPolicyInProcessBrowserTest; |
| 130 | FRIEND_TEST_ALL_PREFIXES(ChildProcessSecurityPolicyInProcessBrowserTest, |
| 131 | NoLeak); |
| 132 | |
| 133 | class SecurityState; |
| 134 | |
| 135 | typedef std::set<std::string> SchemeSet; |
| 136 | typedef std::map<int, SecurityState*> SecurityStateMap; |
| 137 | |
| 138 | // Obtain an instance of ChildProcessSecurityPolicy via GetInstance(). |
| 139 | ChildProcessSecurityPolicy(); |
| 140 | friend struct DefaultSingletonTraits<ChildProcessSecurityPolicy>; |
| 141 | |
| 142 | // You must acquire this lock before reading or writing any members of this |
| 143 | // class. You must not block while holding this lock. |
| 144 | base::Lock lock_; |
| 145 | |
| 146 | // These schemes are white-listed for all child processes. This set is |
| 147 | // protected by |lock_|. |
| 148 | SchemeSet web_safe_schemes_; |
| 149 | |
| 150 | // These schemes do not actually represent retrievable URLs. For example, |
| 151 | // the the URLs in the "about" scheme are aliases to other URLs. This set is |
| 152 | // protected by |lock_|. |
| 153 | SchemeSet pseudo_schemes_; |
| 154 | |
| 155 | // This map holds a SecurityState for each child process. The key for the |
| 156 | // map is the ID of the ChildProcessHost. The SecurityState objects are |
| 157 | // owned by this object and are protected by |lock_|. References to them must |
| 158 | // not escape this class. |
| 159 | SecurityStateMap security_state_; |
| 160 | |
| 161 | DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); |
| 162 | }; |
| 163 | |
| 164 | #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
